Add BoundReferences to ComputedTrafficPermissions (#20593)

2024-02-13 12:27:24 -05:00 · 2024-02-13 12:27:24 -05:00 · ab3c6cf1e5
parent 0f0b080514
commit ab3c6cf1e5
6 changed files with 240 additions and 79 deletions
--- a/internal/auth/internal/controllers/trafficpermissions/builder.go
+++ b/internal/auth/internal/controllers/trafficpermissions/builder.go
@ -21,6 +21,7 @@ type trafficPermissionsBuilder struct {
 	denyPermissions    []*pbauth.Permission
 	sgExpander         expander.SamenessGroupExpander
 	sgMap              map[string][]*pbmulticluster.SamenessGroupMember
+	brc                *resource.BoundReferenceCollector
 }

 type missingSamenessGroupReferences struct {
@ -28,7 +29,10 @@ type missingSamenessGroupReferences struct {
 	samenessGroups []string
 }

-func newTrafficPermissionsBuilder(expander expander.SamenessGroupExpander, sgMap map[string][]*pbmulticluster.SamenessGroupMember) *trafficPermissionsBuilder {
+func newTrafficPermissionsBuilder(
+	expander expander.SamenessGroupExpander,
+	sgMap map[string][]*pbmulticluster.SamenessGroupMember,
+	brc *resource.BoundReferenceCollector) *trafficPermissionsBuilder {
 	return &trafficPermissionsBuilder{
 		sgMap:              sgMap,
 		missing:            make(map[resource.ReferenceKey]missingSamenessGroupReferences),
@ -36,11 +40,14 @@ func newTrafficPermissionsBuilder(expander expander.SamenessGroupExpander, sgMap
 		sgExpander:         expander,
 		allowedPermissions: make([]*pbauth.Permission, 0),
 		denyPermissions:    make([]*pbauth.Permission, 0),
+		brc:                brc,
 	}
 }

 // track will use all associated XTrafficPermissions to create new ComputedTrafficPermissions samenessGroupsForTrafficPermission
 func track[S types.XTrafficPermissions](tpb *trafficPermissionsBuilder, xtp *resource.DecodedResource[S]) {
+	tpb.brc.AddRefOrID(xtp.Id)
+
 	permissions, missingSamenessGroups := tpb.sgExpander.Expand(xtp.Data, tpb.sgMap)

 	if len(missingSamenessGroups) > 0 {
@ -64,6 +71,7 @@ func (tpb *trafficPermissionsBuilder) build() (*pbauth.ComputedTrafficPermission
 		AllowPermissions: tpb.allowedPermissions,
 		DenyPermissions:  tpb.denyPermissions,
 		IsDefault:        tpb.isDefault,
+		BoundReferences:  tpb.brc.List(),
 	}, tpb.missing
 }

--- a/internal/auth/internal/controllers/trafficpermissions/controller.go
+++ b/internal/auth/internal/controllers/trafficpermissions/controller.go
@ -10,21 +10,15 @@ import (
 	"google.golang.org/protobuf/types/known/anypb"

 	"github.com/hashicorp/consul/internal/auth/internal/controllers/trafficpermissions/expander"
-	"github.com/hashicorp/consul/internal/auth/internal/types"
 	"github.com/hashicorp/consul/internal/controller"
 	"github.com/hashicorp/consul/internal/controller/cache"
 	"github.com/hashicorp/consul/internal/controller/cache/index"
-	"github.com/hashicorp/consul/internal/controller/cache/indexers"
 	"github.com/hashicorp/consul/internal/controller/dependency"
 	"github.com/hashicorp/consul/internal/resource"
 	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v2beta1"
 	"github.com/hashicorp/consul/proto-public/pbresource"
 )

-const (
-	TenancyIndexName = "tenancy"
-)
-
 // TrafficPermissionsMapper is used to map a watch event for a TrafficPermissions resource and translate
 // it to a ComputedTrafficPermissions resource which contains the effective permissions
 // from all referencing TrafficPermissions resources.
@ -52,6 +46,8 @@ func Controller(mapper TrafficPermissionsMapper, sgExpander expander.SamenessGro

 	samenessGroupIndex := GetSamenessGroupIndex()

+	boundRefsMapper := dependency.CacheListMapper(pbauth.ComputedTrafficPermissionsType, BoundRefsIndexName)
+
 	// Maps incoming PartitionTrafficPermissions to ComputedTrafficPermissions requests by prefix searching
 	// the CTP's tenancy.
 	ptpToCtpMapper := func(ctx context.Context, rt controller.Runtime, res *pbresource.Resource) ([]controller.Request, error) {
@ -91,29 +87,20 @@ func Controller(mapper TrafficPermissionsMapper, sgExpander expander.SamenessGro
 		return reqs, nil
 	}

-	ctrl := controller.NewController(StatusKey, pbauth.ComputedTrafficPermissionsType).
-		WithWatch(pbauth.WorkloadIdentityType, dependency.ReplaceType(pbauth.ComputedTrafficPermissionsType)).
-		WithWatch(pbauth.TrafficPermissionsType, mapper.MapTrafficPermissions, samenessGroupIndex).
-		WithWatch(pbauth.PartitionTrafficPermissionsType, ptpToCtpMapper,
-			indexers.DecodedSingleIndexer(
-				TenancyIndexName,
-				index.SingleValueFromArgs(func(t *pbresource.Tenancy) ([]byte, error) {
-					return index.IndexFromTenancy(t), nil
-				}),
-				func(r *types.DecodedPartitionTrafficPermissions) (bool, []byte, error) {
-					return true, index.IndexFromTenancy(r.Id.Tenancy), nil
-				},
-			)).
-		WithWatch(pbauth.NamespaceTrafficPermissionsType, ntpToCtpMapper,
-			indexers.DecodedSingleIndexer(
-				TenancyIndexName,
-				index.SingleValueFromArgs(func(t *pbresource.Tenancy) ([]byte, error) {
-					return index.IndexFromTenancy(t), nil
-				}),
-				func(r *types.DecodedNamespaceTrafficPermissions) (bool, []byte, error) {
-					return true, index.IndexFromTenancy(r.Id.Tenancy), nil
-				},
-			)).
+	ctrl := controller.NewController(StatusKey,
+		pbauth.ComputedTrafficPermissionsType,
+		boundRefsIndex).
+		WithWatch(pbauth.WorkloadIdentityType,
+			dependency.ReplaceType(pbauth.ComputedTrafficPermissionsType)).
+		WithWatch(pbauth.TrafficPermissionsType,
+			dependency.MultiMapper(boundRefsMapper, mapper.MapTrafficPermissions),
+			samenessGroupIndex).
+		WithWatch(pbauth.PartitionTrafficPermissionsType,
+			dependency.MultiMapper(boundRefsMapper, ptpToCtpMapper),
+			indexPtpByTenancy()).
+		WithWatch(pbauth.NamespaceTrafficPermissionsType,
+			dependency.MultiMapper(boundRefsMapper, ntpToCtpMapper),
+			indexNtpByTenancy()).
 		WithReconciler(&reconciler{mapper: mapper, sgExpander: sgExpander})

 	return registerEnterpriseControllerWatchers(ctrl)
@ -124,11 +111,23 @@ type reconciler struct {
 	sgExpander expander.SamenessGroupExpander
 }

-// Reconcile will reconcile one ComputedTrafficPermission (CTP) in response to some event.
+// Reconcile will reconcile one ComputedTrafficPermissions (CTP) in response to some event.
 // Events include adding, modifying or deleting a WorkloadIdentity or TrafficPermission or SamenessGroupType.
 func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req controller.Request) error {
 	rt.Logger = rt.Logger.With("resource-id", req.ID, "controller", StatusKey)

+	// The bound reference collector is supposed to aggregate all
+	// references to resources that influence the production of
+	// a ComputedTrafficPermissions resource.
+	//
+	// We only add a reference to the collector if the following are ALL true:
+	//
+	// - We load the resource for some reason.
+	// - The resource is found.
+	// - We decided to use the information in that resource to produce
+	//   ComputedTrafficPermissions.
+	brc := resource.NewBoundReferenceCollector()
+
 	ctpID := req.ID
 	oldCTPData, err := resource.GetDecodedResource[*pbauth.ComputedTrafficPermissions](ctx, rt.Client, ctpID)
 	if err != nil {
@ -171,13 +170,12 @@ func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req c
 	}

 	sgMap, err := r.sgExpander.List(ctx, rt, req)
-
 	if err != nil {
 		rt.Logger.Error("error retrieving sameness groups", err.Error())
 		return err
 	}

-	trafficPermissionBuilder := newTrafficPermissionsBuilder(r.sgExpander, sgMap)
+	trafficPermissionBuilder := newTrafficPermissionsBuilder(r.sgExpander, sgMap, brc)
 	var tpResources []*pbresource.Resource

 	// Part 2: Recompute a CTP from TP create / modify / delete, or create a new CTP from existing TPs:
--- a/internal/auth/internal/controllers/trafficpermissions/controller_test.go
+++ b/internal/auth/internal/controllers/trafficpermissions/controller_test.go
@ -11,11 +11,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"

-	svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing"
 	"github.com/hashicorp/consul/internal/auth/internal/controllers/trafficpermissions/expander"
 	"github.com/hashicorp/consul/internal/auth/internal/mappers/trafficpermissionsmapper"
 	"github.com/hashicorp/consul/internal/auth/internal/types"
 	"github.com/hashicorp/consul/internal/controller"
+	"github.com/hashicorp/consul/internal/controller/controllertest"
 	"github.com/hashicorp/consul/internal/multicluster"
 	"github.com/hashicorp/consul/internal/resource"
 	"github.com/hashicorp/consul/internal/resource/resourcetest"
@ -52,13 +52,16 @@ func (suite *controllerSuite) SetupTest() {
 	suite.isEnterprise = versiontest.IsEnterprise()
 	suite.tenancies = resourcetest.TestTenancies()
 	suite.ctx = testutil.TestContext(suite.T())
-	client := svctest.NewResourceServiceBuilder().
-		WithRegisterFns(types.Register, multicluster.RegisterTypes).
-		WithTenancies(append(suite.tenancies, suite.bazTenancy)...).
-		Run(suite.T())
+
 	// TODO: a lot of the fields below should be consolidated to controller only
 	suite.mapper = trafficpermissionsmapper.New()
 	suite.sgExpander = expander.GetSamenessGroupExpander()
+	client := controllertest.NewControllerTestBuilder().
+		WithResourceRegisterFns(types.Register, multicluster.RegisterTypes).
+		WithTenancies(append(suite.tenancies, suite.bazTenancy)...).
+		WithControllerRegisterFns(func(mgr *controller.Manager) {
+			mgr.Register(Controller(suite.mapper, suite.sgExpander))
+		}).Run(suite.T())
 	suite.ctl = controller.NewTestController(
 		Controller(suite.mapper, suite.sgExpander),
 		client,
@ -710,6 +713,91 @@ func (suite *controllerSuite) TestReconcile_TrafficPermissionsDelete_Destination
 	})
 }

+// 1. Create ALLOW traffic permission granting foo -> bar
+// 2. Observe reconciler write CTP for bar listing source foo
+// 3. User updates TP from step 1 to instead grant foo -> baz
+// 4. Observe reconciler update CTP for bar to list source baz
+// 5. (must) Observe reconciler update CTP for bar to default (no permissions)
+func TestController_OrphanedTrafficPermissions(t *testing.T) {
+	client := rtest.NewClient(
+		controllertest.NewControllerTestBuilder().
+			WithTenancies(resourcetest.TestTenancies()...).
+			WithResourceRegisterFns(types.Register).
+			WithControllerRegisterFns(func(mgr *controller.Manager) {
+				mgr.Register(Controller(trafficpermissionsmapper.New(), expander.GetSamenessGroupExpander()))
+			}).
+			Run(t),
+	)
+
+	for _, tenancy := range resourcetest.TestTenancies() {
+		t.Run(fmt.Sprintf("%s_Namespace_%s_Partition", tenancy.Namespace, tenancy.Partition), func(t *testing.T) {
+			// Create the workload identities
+			foo := rtest.Resource(pbauth.WorkloadIdentityType, "foo").WithTenancy(tenancy).Write(t, client)
+			bar := rtest.Resource(pbauth.WorkloadIdentityType, "bar").WithTenancy(tenancy).Write(t, client)
+			baz := rtest.Resource(pbauth.WorkloadIdentityType, "baz").WithTenancy(tenancy).Write(t, client)
+
+			// Make the CTP IDs for reference
+			fooCTPID := resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, foo.Id)
+			barCTPID := resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, bar.Id)
+			bazCTPID := resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, baz.Id)
+
+			// Create foo -> bar traffic permissions
+			fooToBarData := &pbauth.TrafficPermissions{
+				Destination: &pbauth.Destination{
+					IdentityName: "bar",
+				},
+				Action: pbauth.Action_ACTION_ALLOW,
+				Permissions: []*pbauth.Permission{
+					{
+						Sources: []*pbauth.Source{
+							{
+								IdentityName: "foo",
+								Namespace:    tenancy.Namespace,
+								Partition:    tenancy.Partition,
+							},
+						},
+					},
+				},
+			}
+			_ = rtest.Resource(pbauth.TrafficPermissionsType, "tp").
+				WithTenancy(tenancy).
+				WithData(t, fooToBarData).
+				Write(t, client)
+
+			// Check that CTP for foo exists
+			_ = client.WaitForResourceExists(t, fooCTPID)
+
+			// CTP for bar should list source foo and therefore is not default
+			barCTP := client.WaitForResourceExists(t, barCTPID)
+			decodedBarCTP := resourcetest.MustDecode[*pbauth.ComputedTrafficPermissions](t, barCTP)
+			require.False(t, decodedBarCTP.Data.IsDefault)
+
+			// CTP for baz should be default
+			bazCTP := client.WaitForResourceExists(t, bazCTPID)
+			decodedBazCTP := resourcetest.MustDecode[*pbauth.ComputedTrafficPermissions](t, bazCTP)
+			require.True(t, decodedBazCTP.Data.IsDefault)
+
+			// Mutate fooToBar to change destination from bar to baz.
+			// The CTP for bar no longer has references and should be reset on reconcile.
+			fooToBarData.Destination.IdentityName = "baz"
+			_ = rtest.Resource(pbauth.TrafficPermissionsType, "tp").
+				WithTenancy(tenancy).
+				WithData(t, fooToBarData).
+				Write(t, client)
+
+			// Ensure that the CTP for bar is reverted to default
+			barCTP = client.WaitForNewVersion(t, barCTPID, barCTP.Version)
+			decodedBarCTP = resourcetest.MustDecode[*pbauth.ComputedTrafficPermissions](t, barCTP)
+			require.True(t, decodedBarCTP.Data.IsDefault)
+
+			// Ensure that the CTP for baz is no longer default
+			bazCTP = client.WaitForNewVersion(t, bazCTPID, bazCTP.Version)
+			decodedBazCTP = resourcetest.MustDecode[*pbauth.ComputedTrafficPermissions](t, bazCTP)
+			require.False(t, decodedBazCTP.Data.IsDefault)
+		})
+	}
+}
+
 func (suite *controllerSuite) TestControllerBasic() {
 	// TODO: refactor this
 	// In this test we check basic operations for a workload identity and referencing traffic permission
--- a/internal/auth/internal/controllers/trafficpermissions/index.go
+++ b/internal/auth/internal/controllers/trafficpermissions/index.go
@ -0,0 +1,43 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package trafficpermissions
+
+import (
+	"github.com/hashicorp/consul/internal/auth/internal/types"
+	"github.com/hashicorp/consul/internal/controller/cache/index"
+	"github.com/hashicorp/consul/internal/controller/cache/indexers"
+	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v2beta1"
+	"github.com/hashicorp/consul/proto-public/pbresource"
+)
+
+const (
+	TenancyIndexName   = "tenancy"
+	BoundRefsIndexName = "bound-references"
+)
+
+func indexNtpByTenancy() *index.Index {
+	return indexers.DecodedSingleIndexer(
+		TenancyIndexName,
+		index.SingleValueFromArgs(func(t *pbresource.Tenancy) ([]byte, error) {
+			return index.IndexFromTenancy(t), nil
+		}),
+		func(r *types.DecodedNamespaceTrafficPermissions) (bool, []byte, error) {
+			return true, index.IndexFromTenancy(r.Id.Tenancy), nil
+		},
+	)
+}
+
+func indexPtpByTenancy() *index.Index {
+	return indexers.DecodedSingleIndexer(
+		TenancyIndexName,
+		index.SingleValueFromArgs(func(t *pbresource.Tenancy) ([]byte, error) {
+			return index.IndexFromTenancy(t), nil
+		}),
+		func(r *types.DecodedPartitionTrafficPermissions) (bool, []byte, error) {
+			return true, index.IndexFromTenancy(r.Id.Tenancy), nil
+		},
+	)
+}
+
+var boundRefsIndex = indexers.BoundRefsIndex[*pbauth.ComputedTrafficPermissions](BoundRefsIndexName)
--- a/proto-public/pbauth/v2beta1/computed_traffic_permissions.pb.go
+++ b/proto-public/pbauth/v2beta1/computed_traffic_permissions.pb.go
@ -10,7 +10,7 @@
 package authv2beta1

 import (
-	_ "github.com/hashicorp/consul/proto-public/pbresource"
+	pbresource "github.com/hashicorp/consul/proto-public/pbresource"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@ -32,6 +32,9 @@ type ComputedTrafficPermissions struct {
 	AllowPermissions []*Permission `protobuf:"bytes,1,rep,name=allow_permissions,json=allowPermissions,proto3" json:"allow_permissions,omitempty"`
 	DenyPermissions  []*Permission `protobuf:"bytes,2,rep,name=deny_permissions,json=denyPermissions,proto3" json:"deny_permissions,omitempty"`
 	IsDefault        bool          `protobuf:"varint,3,opt,name=is_default,json=isDefault,proto3" json:"is_default,omitempty"`
+	// BoundReferences is a slice of mixed type references of resources that were
+	// involved in the formulation of this resource.
+	BoundReferences []*pbresource.Reference `protobuf:"bytes,4,rep,name=bound_references,json=boundReferences,proto3" json:"bound_references,omitempty"`
 }

 func (x *ComputedTrafficPermissions) Reset() {
@ -87,6 +90,13 @@ func (x *ComputedTrafficPermissions) GetIsDefault() bool {
 	return false
 }

+func (x *ComputedTrafficPermissions) GetBoundReferences() []*pbresource.Reference {
+	if x != nil {
+		return x.BoundReferences
+	}
+	return nil
+}
+
 var File_pbauth_v2beta1_computed_traffic_permissions_proto protoreflect.FileDescriptor

 var file_pbauth_v2beta1_computed_traffic_permissions_proto_rawDesc = []byte{
@ -99,41 +109,48 @@ var file_pbauth_v2beta1_computed_traffic_permissions_proto_rawDesc = []byte{
 	0x61, 0x31, 0x2f, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69,
 	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x70, 0x62,
 	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf1, 0x01, 0x0a, 0x1a, 0x43,
-	0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65,
-	0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x56, 0x0a, 0x11, 0x61, 0x6c, 0x6c,
-	0x6f, 0x77, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
-	0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62,
-	0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52,
-	0x10, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e,
-	0x73, 0x12, 0x54, 0x0a, 0x10, 0x64, 0x65, 0x6e, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73,
-	0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x68, 0x61,
-	0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61,
-	0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d,
-	0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d,
-	0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, 0x5f, 0x64, 0x65,
-	0x66, 0x61, 0x75, 0x6c, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44,
-	0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x3a, 0x06, 0xa2, 0x93, 0x04, 0x02, 0x08, 0x03, 0x42, 0xa0,
-	0x02, 0x0a, 0x21, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
-	0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62,
-	0x65, 0x74, 0x61, 0x31, 0x42, 0x1f, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54, 0x72,
-	0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73,
-	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x43, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
-	0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f,
-	0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69,
-	0x63, 0x2f, 0x70, 0x62, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31,
-	0x3b, 0x61, 0x75, 0x74, 0x68, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x48,
-	0x43, 0x41, 0xaa, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43,
-	0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x2e, 0x56, 0x32, 0x62, 0x65, 0x74,
-	0x61, 0x31, 0xca, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43,
-	0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74,
-	0x61, 0x31, 0xe2, 0x02, 0x29, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43,
-	0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74,
-	0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02,
-	0x20, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73,
-	0x75, 0x6c, 0x3a, 0x3a, 0x41, 0x75, 0x74, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61,
-	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x70, 0x62, 0x72, 0x65,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc2, 0x02, 0x0a, 0x1a, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74,
+	0x65, 0x64, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
+	0x69, 0x6f, 0x6e, 0x73, 0x12, 0x56, 0x0a, 0x11, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x70, 0x65,
+	0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x29, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73,
+	0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e,
+	0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x10, 0x61, 0x6c, 0x6c, 0x6f,
+	0x77, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x54, 0x0a, 0x10,
+	0x64, 0x65, 0x6e, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73,
+	0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
+	0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76,
+	0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f,
+	0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, 0x5f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c,
+	0x74, 0x12, 0x4f, 0x0a, 0x10, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x72, 0x65, 0x66, 0x65, 0x72,
+	0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x68, 0x61,
+	0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x72,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63,
+	0x65, 0x52, 0x0f, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63,
+	0x65, 0x73, 0x3a, 0x06, 0xa2, 0x93, 0x04, 0x02, 0x08, 0x03, 0x42, 0xa0, 0x02, 0x0a, 0x21, 0x63,
+	0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e,
+	0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31,
+	0x42, 0x1f, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69,
+	0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x50, 0x72, 0x6f, 0x74,
+	0x6f, 0x50, 0x01, 0x5a, 0x43, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c,
+	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62,
+	0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3b, 0x61, 0x75, 0x74,
+	0x68, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x48, 0x43, 0x41, 0xaa, 0x02,
+	0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75,
+	0x6c, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x2e, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02,
+	0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75,
+	0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xe2, 0x02,
+	0x29, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75,
+	0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x47,
+	0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x20, 0x48, 0x61, 0x73,
+	0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a,
+	0x41, 0x75, 0x74, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@ -152,15 +169,17 @@ var file_pbauth_v2beta1_computed_traffic_permissions_proto_msgTypes = make([]pro
 var file_pbauth_v2beta1_computed_traffic_permissions_proto_goTypes = []interface{}{
 	(*ComputedTrafficPermissions)(nil), // 0: hashicorp.consul.auth.v2beta1.ComputedTrafficPermissions
 	(*Permission)(nil),                 // 1: hashicorp.consul.auth.v2beta1.Permission
+	(*pbresource.Reference)(nil),       // 2: hashicorp.consul.resource.Reference
 }
 var file_pbauth_v2beta1_computed_traffic_permissions_proto_depIdxs = []int32{
 	1, // 0: hashicorp.consul.auth.v2beta1.ComputedTrafficPermissions.allow_permissions:type_name -> hashicorp.consul.auth.v2beta1.Permission
 	1, // 1: hashicorp.consul.auth.v2beta1.ComputedTrafficPermissions.deny_permissions:type_name -> hashicorp.consul.auth.v2beta1.Permission
-	2, // [2:2] is the sub-list for method output_type
-	2, // [2:2] is the sub-list for method input_type
-	2, // [2:2] is the sub-list for extension type_name
-	2, // [2:2] is the sub-list for extension extendee
-	0, // [0:2] is the sub-list for field type_name
+	2, // 2: hashicorp.consul.auth.v2beta1.ComputedTrafficPermissions.bound_references:type_name -> hashicorp.consul.resource.Reference
+	3, // [3:3] is the sub-list for method output_type
+	3, // [3:3] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
 }

 func init() { file_pbauth_v2beta1_computed_traffic_permissions_proto_init() }
--- a/proto-public/pbauth/v2beta1/computed_traffic_permissions.proto
+++ b/proto-public/pbauth/v2beta1/computed_traffic_permissions.proto
@ -7,6 +7,7 @@ package hashicorp.consul.auth.v2beta1;

 import "pbauth/v2beta1/traffic_permissions.proto";
 import "pbresource/annotations.proto";
+import "pbresource/resource.proto";

 message ComputedTrafficPermissions {
  option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
@ -14,4 +15,8 @@ message ComputedTrafficPermissions {
  repeated Permission allow_permissions = 1;
  repeated Permission deny_permissions = 2;
  bool is_default = 3;
+
+  // BoundReferences is a slice of mixed type references of resources that were
+  // involved in the formulation of this resource.
+  repeated hashicorp.consul.resource.Reference bound_references = 4;
 }